You are on page 1of 28

Technology Issues Report June and July 2007

My apologies for not putting out a report last month but between problems with my
computer and a holiday it just wasn’t possible. This is a combined report covering the
last 2 months. Sopme historical pieces have been included for curiosity.

1/ Which ISPs Are Spying on You? The few souls that attempt to read and
understand website privacy policies know they are almost universally unintelligible
and shot through with clever loopholes. But one of the most important policies to
know is your internet service provider's -- the company that ferries all your traffic to
and from the internet, from search queries to BitTorrent uploads, flirty IMs to porn.

Wired News, with help from some readers, attempted to get real answers from the
largest United States-based ISPs about what information they gather on their
customers' use of the internet, and how long they retain records like IP addresses, e-
mail and real-time browsing activity. Most importantly, we asked what they require
from law-enforcement agencies before coughing up the data, and whether they sell
your data to marketers. Only four of the eight largest ISPs responded to the 10-
question survey, despite being contacted repeatedly over the course of two months.
Some ISPs wouldn't talk to us, but gave answers to customers responding to a call for
reader help on Wired's Threat Level blog.

Marc Rotenberg, the executive director of the Electronic Privacy Information Center,
says ISPs should be more circumspect about keeping user data. Maintaining detailed
data for long periods of time makes any internet company a huge target for law
enforcement fishing expeditions. "From a user perspective, the best practice would be
for ISPs to delete data as soon as possible," Rotenberg said. "(The government) will
treat ISPs as one-stop shops for subpoenas unless there is a solid policy on data
destruction," Rotenberg said.

The results:

AOL, AT&T, Cox and Qwest all responded to the survey, with a mix of timeliness
and transparency. But only Cox answered the question, "How long do you retain
records of the IP addresses assigned to customers." These records can be used to trace
an internet posting, website visit or an e-mail back to an ISP's customers. The records
are useful to police tracking down child-porn providers, and music-industry groups
use them to sue file sharers. Companies have also used the records to track down
anonymous posters who write unflattering comments in stock-trading boards. Cox's
answer: six months. AOL says "limited period of time," while AT&T says it varies
across its internet-access offerings but that the time limits are all "within industry
standards."

Comcast, EarthLink, Verizon and Time Warner didn't respond.

Some of the most sensitive information sent across an ISP's network is the URLs of
the websites that people visit. This so-called clickstream data includes every URL a
customer visits, including URLs from search engines, which generally include the
search term. AOL, AT&T and Cox all say they don't store these URLs at all, while

1
Qwest dodged the question. Comcast, EarthLink, Verizon and Time Warner didn't
respond.

When asked if they allow marketers to see anonymised or partially-anonymised


clickstream data, AOL, AT&T and Cox said they did not, while Qwest gave a
muddled answer and declined to answer a follow-up question. Comcast, EarthLink,
Verizon and Time Warner didn't respond. This question was prompted by hints at a
web-data conference last March that ISPs were peddling their customer's anonymised
clickstream data to web marketers. Anonymization of data such as URLs and search
histories is not, however, a perfect science. This became clear last summer when AOL
employees attempted to provide the search-research community with a large body of
queries that researchers could mine to improve search algorithms. AOL researchers
replaced IP addresses with different unique numbers, but news organizations quickly
were able to find individuals based on the content of their queries.

Wired News also asked the companies if they have been in contact or discussions with
the government about how long they should be keeping data. The Justice Department,
along with some members of Congress, are pushing for European Union-style data-
retention rules that would require ISPs to store customer information for months or
years -- a measure law enforcement says is necessary to prosecute computer crimes,
such as trading in child pornography.

ISPs were nearly universally reluctant to talk about any conversations or meetings
they have had with federal officials. AOL had no comment, Qwest dodged the
question, AT&T wouldn't say, but noted it would broach the issue with the
government as part of an industry-wide discussion. For its part, Cox says it has not
been contacted.

As for whether they oppose data retention: Qwest said that the market should decide
how long data is kept, while Cox was "studying the issue"; AOL is working with the
industry and Congress, and AT&T is "ready to work with all parties." Internet
surveillance recently got easier, as the deadline passed last week for ISPs to equip
their networks to federal specifications for real-time surveillance of a target's e-mails,
VOIP calls and internet usage -- as well as data like IP address assignment and web
URLs. While law enforcement currently prefers to ask for stored internet records
rather than get real-time surveillance, that balance may shift once the nation's
networks are wired to government surveillance standards. (Wired News 30/5/07)

2/ Where We Stand One Year Later. Eleven months ago, as part of the
government's war on terrorism, Congress gave the Department of Justice sweeping
powers to peer into Americans' everyday activities. The hastily passed USA Patriot
Act swept aside the checks and balances that had traditionally prevented the FBI from
spying on Americans. It allowed federal investigators attempting to prevent future
attacks to seize data such as phone company records and observe private activity such
as a person's book-borrowing habits.

Critics say the act is a reactive, ineffective measure to quell fears of further attacks,
especially since the government already had obtained enough information before
Sept. 11 -- without a law that could potentially trample American citizens'
constitutionally protected rights -- to prevent the attacks. Proponents point to the

2
absence of additional large-scale terrorist attacks on American soil as proof of its
effectiveness.

Before Sept. 11, government investigators learned about al-Qaida operatives enrolled
in U.S. flight schools, which they failed to investigate, and seized a computer
belonging to the alleged 20th hijacker, Zacarias Moussaoui, which they failed to
search. The Patriot Act gives investigators access to even more tips and tidbits to sort
through as they search for solid leads. And more isn't necessarily better, critics say.
"The problem the government faces is largely a targeting problem," said Jim
Dempsey, deputy director of the Center for Democracy and Technology. "They don't
know who to tap, so they engage in widespread monitoring and collect far more
information than they can begin to digest."

How has the Patriot Act been applied in the year following the Sept. 11 attacks?

The complete answer to that question is difficult to ascertain. The law includes a gag
order that bars individuals who receive subpoenas or search warrants from making
that information public. And the Justice Department has rebuffed attempts by several
entities, including the American Civil Liberties Union and the House Judiciary
Committee -- which has oversight over the department -- to obtain details about how
the legislation has been applied.

For ordinary Americans, perhaps the most troubling provisions of the act deal with the
government's expanded power to monitor their communications as well as their
leisure-time activities, such as what they read or what they view on the Internet. And
while the government has been tight-lipped about these surveillance activities,
anecdotal data shows that investigators have been busy using their new powers to peer
into private data, and that, in some cases, organizations have volunteered customer
records without being asked. "The sheer volume of subpoenas for information from
telecommunication companies has tripled in the last year, starting the day after the
Patriot Act was passed," said Seattle telecommunications attorney Al Gidari, whose
clients include AOL and AT&T Wireless.

Gidari claims that FBI agents have attached the agency's secretive data-mining tool
Carnivore to ISP systems to check for website visits, terms entered into search
engines and e-mail headers. Likewise, he added, phone companies have been besieged
with FBI requests for data ranging from all records pertaining to a particular customer
-- such as numbers dialled, length of conversations and the geographical location of
the customer when the call was placed -- to details about every call placed to a
particular country.

Gidari worries about a tendency of investigators to categorize information requests as


"emergencies" in order to get customer data without a formal subpoena. The Patriot
Act allows businesses to volunteer customer records in emergency situations, and
agents have not hesitated to jump on the clause to pressure companies into immediate
cooperation.

Companies are starting to grumble about the constant push for information, he said.
"We're starting to see tension over what is and isn't an emergency, and a lot of carriers

3
and providers are insisting that agents get a subpoena. Otherwise, there is no
oversight, no legal process," Gidari said.

Another trend that has raised the eyebrows of privacy advocates is a surge in the
number of ISPs inviting the government to install Carnivore –- the use of which was
essentially ratified by the Patriot Act -– on their systems to thwart DOS attacks or
credit card fraud. But in doing so, ISPs are trusting the government to filter sensitive
data that is unrelated to the investigation, such as e-mail data of any customer.

Libraries have also had their share of visits from badge-flashers. The Sept. 11
hijackers used computer terminals at public libraries to communicate with each other,
and now the Patriot Act allows agents to examine library users' Internet surfing and
book-borrowing habits. According to an anonymous, nationwide survey of 1,503
public libraries last December, 220 libraries had received information requests from
the FBI after Sept. 11. Surprisingly, the poll also found that employees at 100 libraries
had taken it upon themselves to "report patron records and/or behaviours to outside
authorities."

"I think librarians are really caught in a quandary and feel that as a loyal, patriotic
citizen they should do this," said Leigh Estabrook, a library and information sciences
professor from the University of Illinois who conducted the research. "The library
community went through the same debate back in the '60s and '70s when people came
looking for The Anarchist's Cookbook."

Indeed, some library patrons have tapped into their inner John Ashcroft themselves. In
a recent Florida case, the police evacuated Punta Gorda's public library and arrested a
British man when a paranoid patron reported the chap was surfing bomb-making sites.
But when the smoke cleared, it turned out the Briton was merely looking for health
information; the patron mistook diagrams on the sites for drawings of explosives.

The American Library Association, which represents the nation's librarians, argues
that the Patriot Act violates patrons' privacy and free-speech rights. "There's a
dangerous presumption that there is a connection between what someone reads and
what they do afterward," said association president Maurice J. Freedman. "Just
because someone reads Mein Kampf doesn't mean they're going to become a Nazi."

Estabrook agreed. "There's a lot of little old ladies reading pot-boiler romances at
libraries who probably aren't having their bodices ripped off," Estabrook said.

But ultimately, privacy safeguards established at libraries long before Sept. 11 will
protect patrons' activities by limiting the amount of data investigators can seize,
Freedman said. Most library card catalogs use software such as Epixtech that only
tracks library property while it is checked out; as soon as the patron returns the
material, the record linking a borrower to a certain book, video or audiotape is
eliminated. Additionally, library staff routinely destroy Internet sign-up sheets at the
end of each business day. "We take our users' privacy very seriously," he said.
(Wired News 9/11/02)

3/ What's in a Laptop? Court Ponders Legality of Border Searches. Is your


laptop a fancy piece of luggage or an extension of your mind? That's the central

4
question facing a federal appeals court in a case that could sharply limit the
government's ability to snoop into laptop computers carried across the border by
American citizens. The question, before the 9th U.S. Circuit Court of Appeals, arose
from the prosecution of Michael Timothy Arnold, an American citizen whose laptop
was randomly searched in July 2005 at Los Angeles International Airport as he
returned from a three-week trip to the Philippines. Agents booted the computer and
began opening folders on the desktop, where they found a picture of two naked
women, continued searching, then turned up what the government says is child
pornography.

In June 2006, a judge from the U.S. District Court for the Central District of
California threw out the evidence, finding that customs officials must have at least
"reasonable suspicion" to begin prying into the contents of an electronic storage
device, a decision the government is now appealing. "Electronic storage devices
function as an extension of our own memory," Judge Dean Pregerson wrote. "They
are capable of storing our thoughts, ranging from the most whimsical to the most
profound. Therefore, government intrusions into the mind -- specifically those that
would cause fear or apprehension in a reasonable person -- are no less deserving of
Fourth Amendment scrutiny than intrusions that are physical in nature."

While it's not clear how many laptops are searched at the border each year, both
business and recreational travellers are increasingly toting computers with them,
complete with hard drives full of personal pictures, confidential corporate documents
and revealing internet logs. An October 2006 survey of business travel executives
revealed that some companies were rethinking rules on proprietary information being
stored on travelling laptops, and 1 percent of the respondents reported they had, or
knew someone who had, a laptop confiscated at the border.

The reach of such searches will likely widen as more and more people opt for
smartphones, such as Apple's upcoming iPhone, which combine elements of
traditional computers with the voice capabilities of a cell phone. The California
decision is the first to challenge that trend, and it makes laptops, and even USB
memory sticks, very different from every other item brought across the border,
including luggage, diaries, prescription drug bottles and sexual toys -- all of which
customs and border agents have been allowed to search without cause for years under
the "border exception" to the Fourth Amendment.

The government says the rationale behind that exception -- that border agents are
responsible for protecting the safety of the nation and enforcing copyright and
obscenity rules -- logically extends to laptops. "For constitutional purposes nothing
distinguishes a computer from other closed containers used to store highly personal
items," the Department of Justice argues in its appeal brief.

Moreover, requiring government agents to have a reasonable suspicion before


searching a laptop will invite smugglers and terrorists to hide contraband and
evidence there, the government argues. "If allowed to stand, the district court's
decision will seriously undermine the nation's vital interest in protecting its borders by
removing the significant deterrent effect of suspicionless searches," reads the filing.

5
Arnold's lawyers, Kevin Lahue and Marilyn Bednarski, disagree, arguing that it's not
very difficult for law enforcement agents to come up with "reasonable suspicion."
"No ordinary traveller would expect their private files to be searched at the border
without any reasonable justification," they told the appeals court. "The government's
argument that a traveller can simply avoid exposure by leaving the laptop at home is
an oversimplification of its function and role in daily life."

Lahue has support from the Association of Corporate Travel Executives and the
Electronic Frontier Foundation. The two groups submitted a friend-of-the-court brief
Tuesday arguing that suspicionless searches of laptops are overly invasive, and that
prior to the California ruling, the government had no limits on what it could do when
it seizes a laptop and makes a copy of the hard drive.

Already travellers have reported customs agents seizing laptops, making copies of the
hard drive and returning the computers weeks later. That practice scares the travel
execs' association and the EFF, which argue that under the government's reasoning,
border authorities could systematically copy all of the information contained on every
laptop computer and cell phone that crosses the border, without any court oversight.
"A suspicionless unrestricted search of a laptop computer is simply electronic
eavesdropping after the fact," the groups told the court. "(It) is distinguishable from
the forbidden general searches of Colonial times only by the technologies involved."

The case's outcome is far from clear-cut, according to Lahue. "A lot will depend on
whether the court decides it's like searching a piece of luggage or like a body-cavity
search," Lahue told Wired News. "A diary, even one that is labelled 'my secret sexual
fantasies,' has always been fair game." The government's reply brief is due June 26,
and the case will likely be argued sometime in the fall. (Wired News 20/6/07)

4a/ DHS Security Chief Dismisses Congress's Hacking Questions. Congress


asked Homeland Security's chief information officer, Scott Charbo, who has a
Masters in plant science, to account for more than 800 self-reported vulnerabilities
over the last two years and for recently uncovered systemic security problems in US-
VISIT, the massive computer network intended to screen and collect the fingerprints
and photos of visitors to the United States. Charbo's main tactic before the House
Homeland Security subcommittee Wednesday was to downplay the seriousness of the
threats and to characterize the security investigation of US-VISIT as simultaneously
old news and news so new he hasn't had time to meet with the investigators.

"Key systems operated by Customs and Border Patrol were riddled by control
weaknesses," the Government Accountability Office's director of Information
Security issues Gregory Wilshusen told the committee. Poor security practices and a
lack of an authoritative internal map of how various systems interconnect increases
the risk that contractors, employees or would-be hackers can or have penetrated and
disrupted key DHS computer systems, Wilshusen and Keith Rhodes Director, the
GAO's director of the Center for Technology and Engineering told the committee.

Rep. Bob Etheridge (D-N.C.) pondered the worst case scenario for US-VISIT.
"Terrorists or nation states could get in there and change or alter their names
rendering our watchlists and visa program useless," Etheridge said. Charbo cited the
absence of evidence as the evidence of absence: "There are other controls placed

6
around that system and there is no evidence that the system has been hacked by
outsiders." (Ed. note This is false since US-VISIT was infected by a worm.)

US-VISIT has a long history of security problems and failing government audits.
Though the system is supposed to be self-contained, some undisclosed number of US-
VISIT computers running Microsoft 2000 were infected by the Zotob worm in August
of 2005, revealing not only that the system lacked good patch management, but that
somehow the system touches the internet. DHS attempted to hide the evidence, but a
persistent government sunshine lawsuit from Wired revealed the infection in the fall
of 2006.

But Charbo refused to admit that US-VISIT was deeply flawed. "The GAO did not
consider mitigating defences, and visited without putting the audit in the context of
the overall security environment," Charbo said. DHS self-reports to US-CERT, a
central computer security reporting centre, included notice of suspicious bot nets on
DHS computers and password sniffing software that could connect to the outside
world.

House Homeland Security Chair Bennie Thompson, who opened the hearing by
saying " the first thing Mr. Charbo needs to explain is why he should keep his job,"
pushed Charbo on unauthorized laptops and classified emails being sent on
unclassified networks (which must be pretty easy to do given the rabidness with
which Homeland Security classifies information. Charbo downplayed these threats,
too.

Without exception, these incidents were when someone who typed an email and sent
that item on an unclassified system and the person getting them said I believe this is a
security breach," Charbo said, saying at that point security personnel step in to either
educate, punish or remove security clearances and that this kind of slip-up happened
just as often when offices didn't have IT systems.

The GAO's Rhodes jumped in to add that reporting by employees is hardly the ideal
auditing method for these kinds of breaks. "What has to be put in place is not just
personnel, but some control to keep people moving from one network to another
freely," Rhodes said. "Having free access from one side to another is only going to
foster the problem."

The most interesting moment of the hearing came from California Democrat Zoe
Lofgren asking if US-VISIT had ever been hacked. Read this post to find out GAO
and THREAT LEVEL's divergent answers.

4b) Agencies Required To Eliminate Social Security Numbers From


Databases. The Office of Management and Budget is requiring federal agencies to
develop a plan to remove unnecessary social security numbers from their databases
and then actually remove them in the coming year and a half. It's not simple for
agencies, since they are used to overcollecting and storing information. Complying
with that policy to enhance data security will be difficult, said Dave Combs, chief
information officer at the Agriculture Department. SSNs are embedded in countless
government records as unique identifiers. In its most recent Federal Information
Security Management Act report, OMB said federal agencies have identified 10,595

7
systems that need to be searched, and possibly scrubbed, of personal information,
including SSNs, to minimize the risk of exposure.

“Every personnel folder in the federal government is chock full of SSNs,” Combs
said. Time and attendance reports have SSNs, often unnecessarily. “There are lots of
systems, and you can’t just snap your fingers and change it overnight,” he said.

I hope the new mandate forces the Department of Education to finally stop using
student loan holders' SSN as their account numbers. In the meantime, could someone
please, please get the Direct Loan people to STOP printing my social security number
in the "account number" box? Really, I know my social security number. I don't need
the Department of Education to mail it to me EVERY month. Instead, they can just
print "Your SSN is Your Account Number."

4c) Energy Department Has Lost 1,427 Laptops in Past Six Years. Losing a
cell phone happens from time to time. But losing a laptop is another thing entirely. It
kind of goes beyond absent-mindedness. So what do you call losing 1,427 laptops in
six years, as the Energy Department has done? In a word, unbelievable. The Energy
Department revealed the bad news to Congress on Thursday after a FOIA request
filed by a D.C. news radio station brought the information to light. The good news?
None of the laptops had classified information on it. And none of the employees
responsible for such superhuman carelessness has been disciplined. Huzzah!

4d) White House Issues Data Breach Prevention Guidelines. The White House
this week sent a directive to government agencies to reduce their collection, storage
and chances of loss or theft of personal information such as social security numbers.
The memo from the Office of Management and Budget gives agencies 120 days to
come up with data breach notification policies for electronic and paper documents.

The White House asked agencies to take three important steps:


--reduce the volume of collected and retained information to the minimum necessary
--limit access to only those individuals who must have such access
--use encryption, strong authentication procedures, and other security controls

(Wired News 20/6/07)

5/ Pentagon to Merge Next-Gen Binoculars With Soldiers' Brains. Darpa


says a soldier's brain can be monitored in real time, with an EEG picking up "neural
signatures" that indicate target detection.

U.S. Special Forces may soon have a strange and powerful new weapon in their
arsenal: a pair of high-tech binoculars 10 times more powerful than anything available
today, augmented by an alerting system that literally taps the wearer's prefrontal
cortex to warn of furtive threats detected by the soldier's subconscious.

In a new effort dubbed "Luke's Binoculars" -- after the high-tech binoculars Luke
Skywalker uses in Star Wars -- the Defense Advanced Research Projects Agency is
setting out to create its own version of this science-fiction hardware. And while the

8
Pentagon's R&D arm often focuses on technologies 20 years out, this new effort is
dramatically different -- Darpa says it expects to have prototypes in the hands of
soldiers in three years. The agency claims no scientific breakthrough is needed on the
project -- formally called the Cognitive Technology Threat Warning System. Instead,
Darpa hopes to integrate technologies that have been simmering in laboratories for
years, ranging from flat-field, wide-angle optics, to the use of advanced
electroencephalograms, or EEGs, to rapidly recognize brainwave signatures.

In March, Darpa held a meeting in Arlington, Virginia, for scientists and defence
contractors who might participate in the project. According to the presentations from
the meeting, the agency wants the binoculars to have a range of 1,000 to 10,000
meters, compared to the current generation, which can see out only 300 to 1,000
meters. Darpa also wants the binoculars to provide a 120-degree field of view and be
able to spot moving vehicles as far as 10 kilometres away.

The most far-reaching component of the binocs has nothing to do with the optics: it's
Darpa's aspirations to integrate EEG electrodes that monitor the wearer's neural
signals, cueing soldiers to recognize targets faster than the unaided brain could on its
own. The idea is that EEG can spot "neural signatures" for target detection before the
conscious mind becomes aware of a potential threat or target. Darpa's ambitions are
grounded in solid research, says Dennis McBride, president of the Potomac Institute
and an expert in the field. "This is all about target recognition and pattern
recognition," says McBride, who previously worked for the Navy as an experimental
psychologist and has consulted for Darpa. "It turns out that humans in particular have
evolved over these many millions of years with a prominent prefrontal cortex."

That prefrontal cortex, he explains, allows the brain to pick up patterns quickly, but it
also exercises a powerful impulse control, inhibiting false alarms. EEG would
essentially allow the binoculars to bypass this inhibitory reaction and signal the
wearer to a potential threat. In other words, like Spiderman's "spider sense," a soldier
could be alerted to danger that his or her brain had sensed, but not yet had time to
process.

That said, researchers are circumspect about plans to deploy the technology. One
participant in last month's Darpa workshop, John Murray, a scientist at SRI
International, says he thought the technology was feasible "in a demonstration
environment," but fielding it is another matter. "In recent years the ability to measure
neural signals and to analyse them quickly has advanced significantly," says Murray,
whose own work focuses on human effectiveness. "Typically in these situations, there
are a whole lot of other issues (involved) in building and deploying, beyond the
research."

It's unclear what the final system will look like. The agency's presentations show
soldiers operating with EEG sensors attached helmet-style to their heads. Although
the electrodes might initially seem ungainly, McBride says that the EEG technology is
becoming smaller and less obtrusive. "It's easier and easier," he says. But getting the
system down to a target weight of less than five pounds will be a challenge, and
Darpa's presentations make it clear that size and power are also issues. But even if
EEG doesn't make it into the initial binoculars, researchers involved in other areas say
there are plenty of improvements to existing technology that can be fielded.

9
For example, another key aspect of the binoculars will detect threats using
neuromorphic engineering, the science of using hardware and software to mimic
biological systems. Paul Hasler, a Georgia Institute of Technology professor who
specializes in this area and attended the Darpa workshop, describes, for example, an
effort to use neural computation to "emulate the brain's visual cortex" -- creating
sensors that, like the brain, can scan across a wide field of view and "figure out what's
interesting to look at."

While some engineers are mimicking the brain, others are going after the eye.
Vladimir Brojavic, a former Carnegie Mellon University professor, specializes in a
technology that replicates the function of the human retina to allow cameras to see in
shadows and poor illumination. He attended last month's workshop, but he said he
was unsure whether his company, Intrigue Technologies, would bid for work on the
project. "I'm hesitant to pick it up, in case it would distract us from our product
development," he says.

According to the Darpa presentations, the first prototypes of Luke's Binoculars could
be in soldiers' hands within three years. That's an ambitious schedule, and an unusual
one for Darpa, note several workshop attendees, who also say they expect fierce
competition over the project. The list of attendees at the meeting ranged from
university professors to major contractors. Spokespeople for Lockheed Martin and
Raytheon both confirmed interest in the program, but declined to say whether they
would bid on it.

Once fielded, Darpa indicates the measure of success lies with the military. According
to information the agency provided to industry, initial prototypes would go to Special
Forces. If the military asks to keep the binoculars after the trials, "that's exactly what
you want here," Darpa wrote. "That's success." Why all the rush? "I have to wonder if
they aren't under pressure from Congress to make a contribution (to the war on
terrorism), or if DOD is really leaning on them to come up with some stuff," suggests
Jonathan Moreno, a professor of ethics at the University of Pennsylvania, whose
recent book, Mind Wars, looks at the Pentagon's burgeoning interest in neuroscience.
Darpa did not respond to press inquiries about the program.

Despite the fast schedule, McBride, of the Potomac Institute, thinks the idea is doable.
"It's a risky venture, but that's what Darpa does," he says. "It's absolutely feasible."
(Wired News 20/6/07)

6/ Narcissistic Blog Disorder and Other Conditions of Online Kookery. The


AMA recently suggested that perhaps gaming addiction should be considered as a
sub-category of internet addiction. This is a step in the right direction.

Clearly "internet addiction" doesn't begin to cover the realm of bizarre and
pathological behaviours the internet inspires. Herewith a list of afflictions and
syndromes I feel should be added to the Diagnostic and Statistical Manual of Mental
Disorders IV, or perhaps the DSM IV.Ib.

Narcissistic Blog Disorder

10
This disorder is characterized by the creation of a blog in which the individual
consistently denigrates not only the opinions of others, but the very fact that others
have opinions, saying things like "nobody cares what some overpaid starlet has to say
about global warming" and "nobody cares what some crusty career politician thinks is
wrong with society today." Simultaneously, the individual assumes that people do
care about what he or she has to say, in spite of the individual's only political or
activist experience being watching the movie Dave twice.

Web bookmarks remain a popular way to waste time when one should be working.
You check a site or two, get something done for a little while, then check your
bookmarks again. Careful research, however, has shown that at a certain point the list
of bookmarks grows, the "get something done" period shrinks, until the reader goes
directly from the end of the list back to the top, just in case there are new updates.
Once entered, this "bookmark loop state" often cannot be broken until a couple hours
after a sane bedtime.

E-mail Gullibility Syndrome

Adults who preserve a healthy scepticism when people knock on their door asking for
assistance or political support often lose that sense of suspicion when they first
receive an e-mail account. Every caution about the dangers of kiwi fruit, every
warning that the U.S. Congress is about to outlaw Santa Claus and every plea for
assistance from deposed royalty is treated with utmost credulity and, where
appropriate, forwarded to a dozen of the recipient's long-suffering friends and family
members. Luckily this is usually a self-resolving disorder, disappearing after two
years or $30,000 is lost, whichever comes first.

Atemporal Fad Disorder

The desire to participate in an internet fad is considered by psychologists to be a


natural, if sometimes unfortunate, aspect of human nature. Some individuals,
however, appear to have a clinical inability to recognize the fleeting nature of fads,
and continue to attempt to participate after everyone else is sick to death of the whole
thing. The current diagnostic criterion is "the use of the phrase 'all your base are
belong to us' in any non-ironic context" but in 2010 it is expected to be expanded to
include any suggestion that a photo depicts a cat interacting with an invisible object.

Pugilistic Discussion Syndrome

In this curious form of aphasia, the subject is unable to distinguish between a


discussion and a contest. The subject approaches any online forum as a sort of playing
field, and attempts to "win" the discussion by any means necessary. The rules of the
imaginary contest are apparently clear to the individual as he or she will often point
out when others break them, but when asked to outline these rules the individual is
reluctant, perhaps not wishing to confer an "advantage" on any "opponents." The
conditions for winning are similarly difficult to pin down, although in some cases the
individual will declare himself the winner of a discussion that, to all others, appears to
be ongoing.

Amusement Identify Disorder

11
This is a sort of inverse cousin to Pugilistic Discussion Syndrome, in which the
individual has difficulty distinguishing between an online game and real life. The
individual sees his or her online character as being as "real" as the individual's real-
world self, if not more so. One manifestation of this disorder is the tendency to treat
game accomplishments such as impressive magic items or guild leadership as the
equivalent of real-life accomplishments like pursuing a successful career or raising a
family. In addition to impairing the individual's personal growth in the real world, this
disorder also makes them extremely boring at parties.

Born helpless, nude and unable to provide for himself, Lore Sjoberg eventually
overcame these handicaps to suffer from at least two of the above afflictions.
(Wired News 20/6/07)

7/ Make Vendors Liable for Bugs. Have you ever been to a retail store and
seen this sign on the register: "Your purchase free if you don't get a receipt"? You
almost certainly didn't see it in an expensive or high-end store. You saw it in a
convenience store, or a fast-food restaurant. Or maybe a liquor store. That sign is a
security device, and a clever one at that. And it illustrates a very important rule about
security: It works best when you align interests with capability.

If you're a store owner, one of your security worries is employee theft. Your
employees handle cash all day, and dishonest ones will pocket some of it for
themselves. The history of the cash register is mostly a history of preventing this kind
of theft. Early cash registers were just boxes with a bell attached. The bell rang when
an employee opened the box, alerting the store owner -- who was presumably
elsewhere in the store -- that an employee was handling money. The register tape was
an important development in security against employee theft. Every transaction is
recorded in write-only media, in such a way that it's impossible to insert or delete
transactions. It's an audit trail. Using that audit trail, the store owner can count the
cash in the drawer, and compare the amount with what the register tape says. Any
discrepancies can be docked from the employee's paycheck. If you're a dishonest
employee, you have to keep transactions off the register. If someone hands you
money for an item and walks out, you can pocket that money without anyone being
the wiser. And, in fact, that's how employees steal cash in retail stores.

What can the store owner do? He can stand there and watch the employee, of course.
But that's not very efficient; the whole point of having employees is so that the store
owner can do other things. The customer is standing there anyway, but the customer
doesn't care one way or another about a receipt.

So here's what the employer does: He hires the customer. By putting up a sign saying
"Your purchase free if you don't get a receipt," the employer is getting the customer to
guard the employee. The customer makes sure the employee gives him a receipt, and
employee theft is reduced accordingly. There is a general rule in security to align
interest with capability. The customer has the capability of watching the employee;
the sign gives him the interest.

In Beyond Fear I wrote about ATM fraud; you can see the same mechanism at work:

12
"When ATM cardholders in the U.S. complained about phantom withdrawals from
their accounts, the courts generally held that the banks had to prove fraud. Hence, the
banks' agenda was to improve security and keep fraud low, because they paid the
costs of any fraud. In the U.K., the reverse was true: The courts generally sided with
the banks and assumed that any attempts to repudiate withdrawals were cardholder
fraud, and the cardholder had to prove otherwise. This caused the banks to have the
opposite agenda; they didn't care about improving security, because they were content
to blame the problems on the customers and send them to jail for complaining. The
result was that in the U.S., the banks improved ATM security to forestall additional
losses -- most of the fraud actually was not the cardholder's fault -- while in the U.K.,
the banks did nothing." The banks had the capability to improve security. In the U.S.,
they also had the interest. But in Britain, only the customer had the interest. It wasn't
until the British courts reversed themselves and aligned interest with capability that
ATM security improved.

Computer security is no different. For years I have argued in favour of software


liabilities. Software vendors are in the best position to improve software security; they
have the capability. But, unfortunately, they don't have much interest. Features,
schedule and profitability are far more important. Software liabilities will change that.
They'll align interest with capability, and they'll improve software security.

One last story. In Italy, tax fraud used to be a national hobby. (It may still be; I don't
know.) The government was tired of retail stores not reporting sales and not paying
taxes, so a law was passed regulating the customers. Any customer having just
purchased an item and stopped within a certain distance of a retail store, has to
produce a receipt or face a fine. Just as in the "Your purchase free if you don't get a
receipt" story, the law turned the customers into tax inspectors. They demanded
receipts from merchants, which in turn forced the merchants to create a paper audit
trail for the purchase and pay the required tax.

This was a great idea, but it didn't work very well. Customers, especially tourists,
didn't like to be stopped by police. People started demanding that the police prove
they just purchased the item. Threatening people with fines if they didn't guard
merchants wasn't as effective an enticement as offering people a reward if they didn't
get a receipt. Interest must be aligned with capability, but you need to be careful how
you generate interest. (Wired News 1/6/07)

8/ June 1, 1890: Census Bureau Can Finally Keep Tabs on a Growing


Nation. 1890: The U.S. Census Bureau uses a tabulating machine for the first time.
Freed of the laborious process of hand-sorting its data, the bureau is able to produce a
complete census within two years. The machine was built by Herman Hollerith, a
New York statistician. Hollerith undertook the project under contract from the Census
Bureau, which had taken eight years to tabulate its 1880 census, making it effectively
out of date before it appeared.

The problem was exacerbated by the mushrooming population of the United States. In
1790, when the first census was taken, the nation had 3.8 million people. By 1860 it
had reached 31.8 million. By 1880, with the westward expansion of the nation and the
growing urban population, another 15 million Americans were on the books. It was

13
clear to the census takers that their job would become impossible unless there was a
great leap forward in tabulating technology. Enter Hollerith.

Data for his tabulator was taken using a punch card, known as the Hollerith card. For
ease of storage it was made the same size as paper currency and the machine
employed spring-loaded needles capable of reading whether or not a hole had been
punched. An electric contact was made when a hole was recognized, which set off a
bell and sent the data to a counter. In the wake of this success, Hollerith established a
company to market his machine. This company later merged with a couple of other
firms and, eventually, IBM was born. (Wired News 1/6/07)

9/ Hospitals Nationwide Combat Employee Camera-Phone Abuse. A rash of


incidents in hospitals across the country involving camera phones has led to firings --
and the realization that monitoring the devices in clinical facilities is no easy task.
After sorting through red tape, a California hospital has fired nine employees who in
April either took or looked at camera-phone photos of a patient's X-ray. Meanwhile,
at least three other hospitals across the country are struggling with similar problems.
"I think all hospitals in the United States are going to have to deal with (camera-phone
use)," said Suellyn Ellerbe, chief executive officer of Tri-City Medical Center in
Oceanside, California, a suburb north of San Diego. Photo-equipped PDAs, which
doctors frequently use, pose special problems, said Ellerbe, whose hospital fired the
nine workers.

Camera phones are a difficult privacy issue for medical institutions because
regulations banning them -- which already exist in many hospitals -- are difficult to
enforce. But high-profile cases may be spreading the word that taking pictures on the
job can lead to unemployment.

Tri-City Medical executives fired employees -- including emergency-medical


technicians, nurses and secretaries -- whether they took photos of the X-ray or simply
looked at them without reporting the incident, Ellerbe said. One other employee was
suspended without pay, said hospital spokesman Jeff Segall. Ellerbe declined to give
details about the X-ray except to say it did not disclose the patient's identity. In
another case at Tri-City Medical, a security guard stopped a secretary from taking a
camera-phone picture of a suicidal psychiatric patient. The secretary resigned, Segall
said. Hospital regulations ban photography without permission and forbid employees
from using cell phones on the job, Ellerbe said. Signs also remind visitors not to use
camera phones.

In another camera-phone case, a former respiratory therapist at Rady Children's


Hospital in San Diego faces felony charges over allegations that he took eight
photographs of two bedridden children using a cell phone, said Steve Walker,
spokesman for the San Diego County District Attorney's Office. Contrary to a
newspaper report, he said none of the images were distributed on the internet. In
response to the problems, hospital administrators have banned staff from using cell
phones in clinical areas, and all cell phones are forbidden in the convalescent unit,
said administrator Pamela Dixon. But doctors, who are not employees of the hospital,
refused to allow a ban on their use of cell phones.

14
Another case, in Iowa City, Iowa, involved a May 18 newspaper article that police
were investigating reports that someone took nude photos of nursing residents with a
camera phone. Cell phones reportedly are now banned at the facility.

It's unclear how many hospitals have policies regulating camera phones, but their
numbers seem to be growing. Last year, the Southern California hospital chain
Scripps Health added camera phones and PDAs to its policies restricting photography,
although they are not officially banned.

Scripps Health, which runs five hospitals and 13 outpatient clinics, told Wired News
it has fired employees in the last month for violating photography rules, although
fewer than a dozen of its 11,000 employees have been sacked for privacy violations
over the past year.

While some hospital attorneys told Wired News they'd never dealt with the camera-
phone issue, others said they'd discussed methods of enforcing a ban. "They could
search everybody's purse, but I don't think that's an environment that health-care
facilities want," said Katherine Benesch, an health-law attorney in Princeton, New
Jersey, who has helped nursing homes create policies banning camera phones.

Posting signs and writing policies, however, can't prevent all photography in
hospitals, especially when it's done with such easily concealed devices. Ultimately,
said Dr. David Cameron, a physician and health-law attorney in Toronto, "there isn't a
lot of power that the hospital has to keep these things from happening."
(Wired News 1/6/07)

10/ Do We Really Need a Security Industry? Last week I attended the


Infosecurity Europe conference in London. Like at the RSA Conference in February,
the show floor was chockablock full of network, computer and information security
companies. As I often do, I mused about what it means for the IT industry that there
are thousands of dedicated security products on the market: some good, more lousy,
many difficult even to describe.

Why aren't IT products and services naturally secure, and what would it mean for the
industry if they were? I mentioned this in an interview with Silicon.com, and the
published article seems to have caused a bit of a stir. Rather than letting people
wonder what I really meant, I thought I should explain.

The primary reason the IT security industry exists is because IT products and services
aren't naturally secure. If computers were already secure against viruses, there
wouldn't be any need for antivirus products. If bad network traffic couldn't be used to
attack computers, no one would bother buying a firewall. If there were no more buffer
overflows, no one would have to buy products to protect against their effects. If the IT
products we purchased were secure out of the box, we wouldn't have to spend billions
every year making them secure.

Aftermarket security is actually a very inefficient way to spend our security dollars; it
may compensate for insecure IT products, but doesn't help improve their security.
Additionally, as long as IT security is a separate industry, there will be companies
making money based on insecurity -- companies who will lose money if the internet

15
becomes more secure. Fold security into the underlying products, and the companies
marketing those products will have an incentive to invest in security upfront, to avoid
having to spend more cash obviating the problems later. Their profits would rise in
step with the overall level of security on the internet. Initially we'd still be spending a
comparable amount of money per year on security -- on secure development practices,
on embedded security and so on -- but some of that money would be going into
improving the quality of the IT products we're buying, and would reduce the amount
we spend on security in future years.

I know this is a utopian vision that I probably won't see in my lifetime, but the IT
services market is pushing us in this direction. As IT becomes more of a utility, users
are going to buy a whole lot more services than products. And by nature, services are
more about results than technologies. Service customers -- whether home users or
multinational corporations -- care less and less about the specifics of security
technologies, and increasingly expect their IT to be integrally secure.

Eight years ago, I formed Counterpane Internet Security on the premise that end users
(big corporate users, in this case) really don't want to have to deal with network
security. They want to fly airplanes, produce pharmaceuticals or do whatever their
core business is. They don't want to hire the expertise to monitor their network
security, and will gladly farm it out to a company that can do it for them. We provided
an array of services that took day-to-day security out of the hands of our customers:
security monitoring, security-device management, incident response. Security was
something our customers purchased, but they purchased results, not details.

Last year BT bought Counterpane, further embedding network security services into
the IT infrastructure. BT has customers that don't want to deal with network
management at all; they just want it to work. They want the internet to be like the
phone network, or the power grid, or the water system; they want it to be a utility. For
these customers, security isn't even something they purchase: It's one small part of a
larger IT services deal. It's the same reason IBM bought ISS: to be able to have a
more integrated solution to sell to customers.

This is where the IT industry is headed, and when it gets there, there'll be no point in
user conferences like Infosec and RSA. They won't go away; they'll simply become
industry conferences. If you want to measure progress, look at the demographics of
these conferences. A shift toward infrastructure-geared attendees is a measure of
success.

Of course, security products won't disappear -- at least, not in my lifetime. There'll


still be firewalls, antivirus software and everything else. There'll still be start-up
companies developing clever and innovative security technologies. But the end user
won't care about them. They'll be embedded within the services sold by large IT
outsourcing companies like BT, EDS and IBM, or ISPs like EarthLink and Comcast.
Or they'll be a check-box item somewhere in the core switch.

IT security is getting harder -- increasing complexity is largely to blame -- and the


need for aftermarket security products isn't disappearing anytime soon. But there's no
earthly reason why users need to know what an intrusion-detection system with
stateful protocol analysis is, or why it's helpful in spotting SQL injection attacks. The

16
whole IT security industry is an accident -- an artefact of how the computer industry
developed. As IT fades into the background and becomes just another utility, users
will simply expect it to work -- and the details of how it works won't matter.
(Wired News 3/5/07)

11/ Digital Da Vinci Codes: Thousands of Leonardo's Papers Go Online. The


e-Leo archive lets users sift through a huge stash of Leonardo Da Vinci's drawings
and writings.

The tiny brick library in Leonardo Da Vinci's hometown is putting 3,000 pages of the
genius' work online in a high-resolution, searchable archive. The Leonardian Library
in Vinci, Tuscany, is making the Madrid Codices and the Codex Atlanticus -- two
collections of scientific and technical drawings -- available as a free digital archive
called e-Leo. The EU-financed project will also digitize the Windsor folios and 12
notebooks from the Institut de France for a total of 12,000 pages, creating the most
extensive public online archive of Leonardo's codes.

It's a powerful resource for amateurs --- Renaissance groupies, crowdsourcers looking
for technical solutions -- who make half of all requests to the library in the hamlet
where Leonardo was born. E-Leo won't be putting lone librarian Monica Taddei out
of a job anytime soon, though. Taddei often navigates the texts for experts in technical
fields looking for sketches of things like valves or siphons. The Madrid Codices are
especially fertile for designs. Alas, e-Leo is not quite ready for Dan Brown buffs or
8th-grade homework assignments.

While the digital notebooks offer advantages to make academics sob with joy --
semantic search functions, clustered results -- most of them vanish without a working
knowledge of 15th-century Italian. (Forms in English are expected in about two
months; an index of drawings in English is expected by year's end.) To index
Leonardo's designs and irregular vocabulary, text-mining company Synthema teamed
up with engineers from the University of Florence and the Accademia della Crusca,
Italy's national language institute founded in 1582. "Leonardo had a very modern way
of jumbling things together, a true multitasker," says Federico Neri, head of R&D at
Synthema. "There are technical specifications next to shopping lists. Finding anything
used to be mining in a literal sense." Neri hopes to eventually develop a
multilanguage version to help readers explore the notebooks.

Nonetheless, there are plenty of curiosities for the lay reader. Even a quick spin may
turn up, as it did on a recent once-over of the Codex Atlanticus, the spring-propelled
vehicle thought to be a precursor to Mars rovers. And the high-resolution images are
arguably as close as one will get to the real thing unless you're Bill Gates. There are
references to a sketch in the Codex Atlanticus showing the backside of Leonardo's
comely assistant, Salaino, with penises speeding at him. When an e-Leo user's
attempts to find it fail, Taddei recites a folio number from memory with the cool
aplomb of a professional used to stewarding odd requests. Punching it in brings up a
crude drawing in a childish hand, clearly not Leonardo's. "I'm afraid that's the one,
though it's not what you'd expect," Taddei says. "Hang on though." The librarian taps
in some more numbers then goes off to check a reference in a book. "Here's what you
want: Try 674r."

17
The image takes a few seconds to load, but at the centre of the page is a small,
anatomical sketch of a young man's privates and a peachy bum.
(Wired News 21/6/07)

12/ Century-Old Quarantine Law Puts Patient Rights at Risk. The first
federal quarantine case in the United States in 44 years has galvanized debate over
efforts to reform the nation's century-old quarantine law, crafted before the civil rights
movement, modern privacy and bio-terrorism concerns. Legal experts say quarantine
regulations don't protect the rights of the sick or those who have been exposed to
disease, nor do they provide appeals. But opposition from airlines and privacy-
watchdog groups are slowing efforts toward reform that began in 2005.

On Tuesday, a man with a dangerous form of tuberculosis was quarantined in Atlanta,


Georgia, after he evaded health authorities while travelling in Europe. He travelled to
France, Italy, Czech Republic and Canada before reporting to CDC headquarters on
Tuesday, and on Thursday arrived at a specialist hospital in Denver for treatment.

While states have updated their quarantine laws, the federal government, which steps
in when certain infectious diseases are involved with international or interstate travel,
is still using a law drafted in the 19th century (with some adjustments made in the
1940s). The last federal case involved a patient possibly exposed to smallpox in 1963.
The world, of course, has changed since then. "We're a much more mobile society
than we used to be, with a lot more travel interstate and internationally," said Wendy
Parmet, a Northeastern University law professor who studies public-health law.

In 2005, the CDC began accepting public comments about a major revision of its
policy. Among other things, the CDC wants easy access to flight manifests during a
health emergency to make it possible to reach people who may have been exposed to
disease on planes more quickly. Airlines have complained about the cost of better
record-keeping, which the CDC has estimated will cost the industry $108 million a
year.

The rules were proposed amid fears of avian flu and in the wake of comments from
President Bush that he might use troops to enforce an avian-flu quarantine. In the
Wednesday conference call, CDC quarantine official Dr. Martin Cetron said the
agency plans to move forward with the policy changes. Officials were not
immediately available Thursday to confirm a timeline for implementation, or whether
they were considering heavy opposition from airlines and the ACLU. The ACLU is
concerned about giving the CDC access to millions of names on passenger manifests,
said Barry Steinhardt, director of the ACLU Technology and Liberty Program.

The proposed regulations say the CDC would comply with current federal privacy
laws, but the new rules don't address a patient's rights to appeal their case, said Boston
University health-law professor George Annas. "It would be helpful to be more
explicit about the rights of people who are isolated or quarantined," he said. "They
should be very specific about how long you can hold someone and when they have a
right to a lawyer, a hearing or a second opinion from an independent doctor." For
now, Annas said, judges asked to rule about quarantines would probably resort to a
more settled area of law for guidance: the mandates about involuntary commitment of
the mentally ill.

18
The ACLU also opposes the CDC's push for a "provisional" quarantine that would
allow people to be detained for three days with no administrative hearing.
"Historically in America, quarantine law was used as a weapon against immigrants
and people of colour. It was more about xenophobia than about public health,"
Steinhardt said. "We have to be very concerned that that will happen again."

The history of quarantines is "a dark and dirty one," said Northwestern's Parmet. "In
this country, quarantine has been horribly abused. Some people (like Typhoid Mary)
have been quarantined for their whole lives."

While there's no indication that the recently quarantined patient will legally challenge
his confinement, he's clearly unhappy with his predicament. In an interview with the
Atlanta Journal-Constitution, he said: "This is insane to me that I have an armed guard
outside my door when I've cooperated with everything, other than the whole solitary-
confinement-in-Italy thing." (The CDC asked him to stay in Rome and undergo
treatment there; he refused.)

Meanwhile, officials are trying to reach about 100 people who flew on long-haul
flights with the man. The CDC's Cetron didn't say the agency intended to quarantine
those passengers, whose risk of infection CDC officials said is low. The CDC did not
return email and phone requests for additional comment. (Wired News 1/6/07)

13/ Army Squeezes Soldier Blogs, Maybe to Death. The U.S. Army has ordered
soldiers to stop posting to blogs or sending personal e-mail messages, without first
clearing the content with a superior officer, Wired News has learned. The directive,
issued April 19, is the sharpest restriction on troops' online activities since the start of
the Iraq war. And it could mean the end of military blogs, observers say.

Military officials have been wrestling for years with how to handle troops who
publish blogs. Officers have weighed the need for wartime discretion against the
opportunities for the public to personally connect with some of the most effective
advocates for the operations in Afghanistan and Iraq -- the troops themselves. The
secret-keepers have generally won the argument, and the once-permissive atmosphere
has slowly grown more tightly regulated. Soldier-bloggers have dropped offline as a
result. The new rules obtained by Wired News require a commander be consulted
before every blog update. "This is the final nail in the coffin for combat blogging,"
said retired paratrooper Matthew Burden, editor of The Blog of War anthology. "No
more military bloggers writing about their experiences in the combat zone. This is the
best PR the military has -- it's most honest voice out of the war zone. And it's being
silenced."

Army Regulation 530--1: Operations Security (OPSEC) restricts more than just blogs,
however. Previous editions of the rules asked Army personnel to "consult with their
immediate supervisor" before posting a document "that might contain sensitive and/or
critical information in a public forum." The new version, in contrast, requires "an
OPSEC review prior to publishing" anything -- from "web log (blog) postings" to
comments on internet message boards, from resumes to letters home. Failure to do so,
the document adds, could result in a court-martial, or "administrative, disciplinary,
contractual, or criminal action."

19
Despite the absolutist language, the guidelines' author, Major Ray Ceralde, said there
is some leeway in enforcement of the rules. "It is not practical to check all
communication, especially private communication," he noted in an e-mail. "Some
units may require that soldiers register their blog with the unit for identification
purposes with occasional spot checks after an initial review. Other units may require a
review before every posting."

But with the regulations drawn so tightly, "many commanders will feel like they have
no choice but to forbid their soldiers from blogging -- or even using e-mail," said Jeff
Nuding, who won the bronze star for his service in Iraq. "If I'm a commander, and
think that any slip-up gets me screwed, I'm making it easy: No blogs," added Nuding,
writer of the "pro-victory" Dadmanly site. "I think this means the end of my
blogging."

Active-duty troops aren't the only ones affected by the new guidelines. Civilians
working for the military, Army contractors -- even soldiers' families -- are all subject
to the directive as well. But, while the regulations may apply to a broad swath of
people, not everybody affected can actually read them. In a Kafka-esque turn, the
guidelines are kept on the military's restricted Army Knowledge Online intranet.
Many Army contractors -- and many family members -- don't have access to the site.
Even those able to get in are finding their access is blocked to that particular file.
"Even though it is supposedly rewritten to include rules for contractors (i.e., me) I am
not allowed to download it," e-mails Perry Jeffries, an Iraq war veteran now working
as a contractor to the Armed Services Blood Program.

The U.S. military -- all militaries -- have long been concerned about their personnel
inadvertently letting sensitive information out. Troops' mail was read and censored
throughout World War II; back home, government posters warned citizens "careless
talk kills." Military blogs, or milblogs, as they're known in service-member circles,
only make the potential for mischief worse. On a website, anyone, including foreign
intelligence agents, can stop by and look for information. "All that stuff we used to
get around a bar and say to each other -- well, now because we're publishing it in open
forums, now it's intel," said milblogger and retired Army officer John Donovan.

Passing on classified data -- real secrets -- is already a serious military crime. The new
regulations (and their author) take an unusually expansive view of what kind of
unclassified information a foe might find useful. In an article published by the official
Army News Service, Maj. Ceralde "described how the Pentagon parking lot had more
parked cars than usual on the evening of Jan. 16, 1991, and how pizza parlours
noticed a significant increase of pizza to the Pentagon.... These observations are
indicators, unclassified information available to all … that Operation Desert Storm
(was about to) beg(i)n."

Steven Aftergood, head of the Federation of American Scientists' Project on


Government Secrecy, called Ceralde's example "outrageous." "It's true that from an
OPSEC (operational security) perspective, almost anything -- pizza orders, office
lights lit at odd hours, full or empty parking lots -- can potentially tip off an observer
that something unusual is afoot," he added. "But real OPSEC is highly discriminating.
It does not mean cutting off the flow of information across the board. If on one day in

20
1991 an unusual number of pizza orders coincided with the start of Desert Storm, it
doesn't mean that information about pizza orders should now be restricted. That's not
OPSEC, that's just stupidity."

During the early days of the Iraq war, milblogs flew under the radar of the Defense
Department's information security establishment. But after soldiers like Specialist
Colby Buzzell began offering detailed descriptions of firefights that were scantily
covered in the press, blogs began to be viewed by some in the military as a threat -- an
almost endless chorus of unregulated voices that could say just about anything.
Buzzell, for one, was banned from patrols and confined to base after such an incident.
Military officials asked other bloggers to make changes to their sites. One soldier took
down pictures of how well armour stood up to improvised bombs; a military spouse
erased personal information from her site -- including "dates of deployment, photos of
the family, the date their next child is expected, the date of the baby shower and
where the family lives," said Army spokesman Gordon Van Fleet.

But such cases have been rare, Major Elizabeth Robbins noted in a paper for the
Army's Combined Arms Center. "The potential for an OPSEC violation has thus far
outstripped the reality experienced by commanders in the field," she wrote. And in
some military circles, bloggers have gained forceful advocates. The Office of the
Secretary of Defense, for example, now regularly arranges exclusive phone
conferences between bloggers and senior commanders in Afghanistan and Iraq. Major
Robbins, for one, has argued strongly for easing the restrictions on the soldier-
journalists. "The reputation of the Army is maintained on many fronts, and no one
fights harder on its behalf than our young soldiers. We must allow them access to the
fight," Robbins wrote. "To silence the most credible voices -- those at the spear's edge
-- and to disallow them this function is to handicap ourselves on a vital, very real
battlefield."

Nevertheless, commanders have become increasingly worried about the potential for
leaks. In April 2005, military leaders in Iraq told milbloggers to "register" their sites
with superior officers. In September, the Army made the first revision of its OPSEC
regulations since the mid-'90s, ordering GIs to talk to their commanders before
posting potentially-problematic information. Soldiers began to drop their websites, in
response.

More bloggers followed suit, when an alert came down from highest levels of the
Pentagon that "effective immediately, no information may be placed on websites …
unless it has been reviewed for security concerns," and the Army announced it was
activating a team, the Army Web Risk Assessment Cell, to scan blogs for information
breaches. An official Army dispatch told milbloggers, "Big Brother is not watching
you, but 10 members of a Virginia National Guard unit might be." That unit continues
to look for security violations, new regulations in hand. (Wired News 2/5/07)

14/ Adobe Tackles Photo Forgeries. A suite of photo-authentication tools under


development by Adobe Systems could make it possible to match a digital photo to the
camera that shot it, and to detect some improper manipulation of images, Wired News
has learned. Adobe plans to start rolling out the technology in a number of photo-
authentication plug-ins for its Photoshop product beginning as early as 2008. The
company is working with a leading digital forgery specialist at Dartmouth College,

21
who met with the Associated Press last month. The push follows a media scandal over
a doctored war photograph published by Reuters last year. The news agency has since
announced that it's working with both Adobe and Canon to come up with ways to
prevent a recurrence of the incident. "Fundamentally, our values as a company
requires us to build tools to detect tampering, not just create tampering," said Dave
Story, vice president of product engineering at Adobe.

Photo manipulation is nothing new. During the Stalin era, Soviet officials frequently
vanished from official photographs after falling out of favour at the Kremlin. But the
advent of Photoshop and its variety of tools has made it easier for photographers to
tinker with images after they're captured. By the same token, the internet has allowed
sceptical bloggers around the world to analyse photos in depth, and expose chicanery.
In the most famous recent case, a blogger uncovered the doctoring of a war photo
taken in Lebanon by Reuters photographer Adnan Hajj. The photographer was fired,
and Reuters has since clarified its rules about the use of Photoshop.

AP has not had a similar scandal but is still on guard. "When we look at the
manipulated images that we have come across historically in the AP, it's a tiny, tiny
percentage. But all it takes is one or two and the effects are huge," said Santiago
Lyon, director of photography for the AP, which handles about 750,000 photographs
a year.

Despite the potential for disaster, photo editors still rely on their own eyes to detect
forgery, even as advances in Photoshop technology make manipulations even less
obvious. "We do really advanced math so you can't detect what's going on, and we're
getting better at that every year," Adobe's Story said.

In a speech in Tel Aviv in December and a blog entry, Reuters CEO Tom Glocer said
his company is working with Adobe and Canon to create an "audit trail" that would
reveal changes made to an image. Neither Reuters nor Canon would provide details
on the plan.

Officials at the AP, meanwhile, met Feb. 5 with Hany Farid, a Dartmouth College
professor who studies ways to detect digital forgery, Farid said. Farid is working with
Adobe on its upcoming photo-authentication plug-ins, which will rely on
mathematical algorithms to pinpoint signs of manipulation. Among other things,
Adobe is developing a tool that will detect the use of the copying tool known as the
"clone stamp." The tool will identify when two areas in a photo are "impossibly
similar," Story said. Adobe expects another tool will perform an analysis similar to
firearm ballistics -- confirming the model of camera that took an image, and matching
the image to the individual camera, if it's available. The company also hopes to
develop a plug-in that will detect if a photo has been changed at all since it was taken.
According to Farid, this is possible because cameras don't record all the pixels needed
for a colour image, but instead estimate some colours through a process known as
colour reconstruction, or demosaicing.

A camera's demosaicing process creates connections between pixels, and "when an


image is re-touched, it is likely that these correlations will be destroyed. As such, the
presence or lack of these correlations can be used to authenticate an image, or expose
it as a forgery," Farid writes in an explanation of the technology he is developing.

22
Lyon said AP might ultimately apply manipulation-detection software to photos from
"casual freelancers" or handouts from government agencies, entertainment
organizations and military officials.

The challenge, Farid said, is to figure out how to detect inappropriate manipulations
and ignore ones that are allowed in media photographs, such as cropping and colour
enhancement. "We can't say, practically, that you can't do anything to the image," he
said. Wrong results -- false positives, in particular -- appear to be the Achilles' heel of
photo authentication technology. The software is "statistical in nature, and there are a
lot of assumptions involved," said Nasir Memon, a professor of computer science at
Polytechnic University who studies digital forensics. "You always have false
positives," Memon said. "Even if you're 90 percent accurate ... you'll be telling 10
percent of the people that their image is fake when it's not."

Story said Adobe is aware of the potential risk of false positives and will continue
trying to perfect the technology for the next one to three years before releasing the
plug-ins. "We want to get them to a stable enough place and have enough
understanding of how to use them properly that you won't come to invalid
conclusions." (Wired News 8/3/07)

15/ FBI Whistleblower Describes Government Muscle Tactics. A


whistleblower who lost her job and was gagged by the Bush administration after
revealing careerism, corruption and widespread incompetence at the FBI detailed her
difficult search for justice to an audience on Monday at the American Library
Association's annual conference. Sibel Edmonds, hired by the FBI as a translator
shortly after 9/11, was fired in 2002 after reporting a range of problems at the bureau,
including:
--slothful, unqualified employees
--family members of diplomats suspected of spying who translated the wiretaps of
their relatives
--ignored or overlooked intelligence warning of Al-Qaeda's plans to hijack planes and
attack major cities
--evidence of a Turkish bribery ring that, according to some accounts, was connected
to then-Speaker of the House Denny Hastert (R-Illinois)

After Edmonds' aired the dirty laundry, her higher-ups cut her loose. Then John
Ashcroft, the U.S. attorney general at the time, invoked the "state secrets privilege," a
little-used Draconian national security measure that stopped Edmonds from
discussing what she knew. Even information about her birthday and the schools she
had attended became classified, a so-called matter of national security too dangerous
to disclose. Of course, the information was already public. A Google search turns it
up instantly. For a time, information about Edmonds' case was even up on the FBI
website. "It is funny and so very sad at the same time," Edmonds told the librarians
yesterday. "The next time I'm pulled over by a cop for speeding or at a red light, and
they say ma'am can you give me your driver's license, I'm going to say: 'I'm sorry,
officer. I can't give it to you. It's classified.'"

But the unusual situation Edmonds finds herself in -- one that she describes as
"Kafkaesque" -- is also quite unnerving. Even though Congress and the Justice
Department's own inspector general determined that several of Edmond's complaints

23
about abuse and incompetence had merit, she lost a lawsuit against the FBI. When she
appealed, this strange scene took place:

"My attorney stood up and argued the case about the state secret's privilege. Then the
court asked [us] to step out of the court...while the government argued its side. Can
they do this? This is the United States of America. The guards escorted us out and
they locked the doors. We don't know what [the FBI attorneys] told the judges. My
attorneys could never know what they argued. As far as we know, they could have
made the most outrageous lies. There was no one there to challenge them. We assume
that they did because a few weeks later the court upheld the lower court's ruling."

Edmonds tried to get the U.S Supreme Court to hear the case. The court declined. In
May 2004, the Justice Department issued a retroactive gag order on Congress,
classifying the briefings Edmonds had given Congress, all FBI briefings, and forcing
members of Congress with information about the case on their web sites to remove it
(which spurred a separate lawsuit).
(Wired News 26/6/07)

16/ Texas-Sized Supercomputer to Break Computing Power Record. Sun's


new supercomputer is built using a huge array of densely packed "blades" -- narrow
server modules that can be plugged into racks, with up to 768 processors per rack.
There's an old saying: "Everything's bigger in Texas." That now applies to
supercomputers as well.

Sun Microsystems announced today that its hardware will power the largest
supercomputer ever built, weighing in with 62,976 CPU cores, 125 terabytes of
memory, 1.7 petabytes of disk space, and 504 teraflops of performance. The
computer, which has been dubbed "Ranger," will be hosted at the Texas Advanced
Computing Center at the University of Texas, Austin. It is due to go online on January
1, 2008. Ranger costs $30 million in hardware alone, and an additional $29 million
for staffing and maintenance -- and is being entirely funded by a grant from the
National Science Foundation. Still, Sun officials say that’s a bargain. "(We have
reached) unprecedented cost performance for scientific computing -- we are at sub-
hundred thousand dollars per teraflop," said Andy Bechtolsheim, chief architect and
co-founder of Sun Microsystems.

Under the hood, Ranger's brain will be built from 16,744 quad-core AMD Opteron
processors. The machine's production timeline is dependent on how fast AMD can
crank out the as-yet-unreleased chips, Bechtolsheim said. At the time of its
completion, Ranger will likely be the largest and fastest supercomputer in the world,
beating out the reigning champion, IBM's BlueGene computer, which comes in at a
"paltry" 327 teraflops. As if that weren't enough, the entirely new cluster will demand
three megawatts of power and will cost the university one million dollars per year to
keep humming.

Beyond Ranger's sheer scale, the real advantage, scientists say, is that it will be
entirely open to the scientific community. Scientists nationwide will be able to
conduct research on it at an unprecedented scale, whereas BlueGene is for classified
work only. "To give you an idea, the system will be about six or seven times larger
than any of the existing systems that the researchers have access to," said Tommy

24
Minyard, assistant director at the computing centre.

Scientists expect that research in astrophysics, genomics, nanotechnology and


meteorology will be carried out on the Ranger system. "A bigger supercomputer (not
only) lets you run more forecast models. It can also allow you to run higher-resolution
models," said Jay Boisseau, the centre’s director. "You'll also be able to run models
on much larger scales at high fidelity. As they build bigger and bigger
supercomputers, you can do nationwide (weather) forecasting at a higher resolution."

Other computer scientists say that Ranger marks the beginning of a new generation of
machines that approach the petaflop mark, as similar machines are going to be
installed around the country in 2008. "Five to ten years from now, a machine of this
scale will be routine in a modest-sized cluster," said Rick Stevens, associate
laboratory director for Computing and Life Sciences at Argonne National Laboratory.
"In some ways it's like giving us a time machine to look forward five to ten years as to
what general purpose machines will look like. The smart developers will take
advantage of that (today)." (wired News 26/6/07)

17/ Laptops a Hot Fertility Issue. Men who regularly balance their laptop
computers on their laps when working may be jeopardizing their ability to have
children, according to a new study from fertility researchers at the State University of
New York at Stony Brook. The potential risk comes from the heat generated by the
laptop computer and the close position of one's thighs when balancing the computer
on one's lap, the researchers found. This heat is transferred to the scrotum, where the
temperature can rise several degrees, putting users within the danger zone for
testicular dysfunction. The findings suggest that young men should place laptop
computers on a desk, a table or anywhere else but their own laps.

"I definitely recommend that teenage boys and young males limit the use of laptop
computers because the results may be unpredictable," said lead researcher Yefim
Sheynkin, director of male infertility and microsurgery at the university. "Don't get
me wrong -- the laptop computer is very useful and helpful. But we need to be
cautious."

Scientists have known for years that an increase of even 1 degree Celsius in testicular
or scrotal temperature can decrease the production of healthy sperm by as much as 40
percent. In the Stony Brook study, researchers found that test subjects who sat for an
hour with running laptops on their laps had a median increase in scrotal temperature
of 2.6 to 2.8 degrees Celsius. The 29 volunteers, aged 21 to 35, were also asked to sit
with their thighs together for an hour without a laptop. This resulted in a median
increase in scrotal temperature of 2.1 degrees, suggesting that the act of balancing a
laptop computer is just as much to blame as the heat generated by it. Two unidentified
brands of Pentium 4 laptops were used at random in the study. Additionally, the
volunteers were required to wear the same type of clothing in both tests to rule out
variations caused by differences in underwear and pants. The volunteers' scrotal
temperatures were measured every several minutes with a device attached to both
sides of subjects' scrotums. The tests did not measure the volunteers' actual sperm
production.

25
Because of this, laptop users may want to wait for further studies before deciding to
change their computing habits, cautioned Moshe Wald, a male infertility specialist in
the University of Iowa's urology department who was not affiliated with the study.
"They definitely made their point that temperatures are elevated. And since we know
that elevated temperatures might affect sperm production, this is something we might
want to look into," he said. But, "I am reluctantly going ahead with recommendations
about laptop use at this point. This is a first-stage study."

Sheynkin agreed that more research is necessary to prove the link between laptop use
and infertility, but he said he felt that the findings so far indicate a need for caution --
especially among laptop users who may be trying to conceive a child. "In the
questionnaires that I give to my patients before I see them, I ask if they use hot baths
or a sauna, and I tell them that they should stop it if they are trying to conceive," he
said. "I am now going to start asking if they use laptop computers." The results of the
study will be published in the February 2005 issue of the journal Human
Reproduction. (Wired News 8/12/04)

18/ In Italy, CIA Agents Were Undone By Their Cell Phones. The CIA needs
to get a Q. James Bond's gadget guru surely would have warned the agency about
how easy it is to track calls made via cell phone. Now 25 of its agents are facing trial
in absentia in Milan, Italy, this summer — undone by their pathetic ignorance of
technology. It seems that cellular data exposed their operation to carry out the
"extraordinary rendition" of an Egyptian cleric suspected of terrorist involvement
from a Milan street in 2003.

Cell phones communicate with nearby transmission towers when making and
receiving calls. As many criminals know, tower location is recorded with the billing
data. The spooks apparently didn't realize this and left a trail of cellular footprints at
the crime scene. When an Italian prosecutor pulled the records of phones in the area at
the time, the plot became apparent. He was able to identify the agents (by alias),
where they had stayed, and even calls they made to northern Virginia (where CIA
headquarters is), the US consulate in Milan, a US Air Force base in Aviano, and each
other. The cleric, Abu Omar, has been released. But should the operatives — likely
back in the States — be found guilty, they won't be able to travel anywhere Interpol
operates. Maybe they can telecommute.

How They Did It

The CIA's snatch team used unsecured mobile handsets to communicate during the
kidnapping. By zeroing in on phones in the area that were unusually active at the time
of the grab — many calling each other — authorities were able to identify the
handsets involved. Soon they knew the agents' aliases, where they had stayed, and
who else they had called. Checking in with headquarters

One of the agents participating in the abduction used his cell phone to call Robert
Lady, the CIA station chief in Milan. This provided Italian investigators with the first
undeniable link to CIA involvement. Lady has been forced to leave Italy and is now
among those facing charges. Planning the escape

26
Several phones involved in the operation called an Air Force base in Aviano, both
before and immediately after the event. Among the numbers dialled: the mobile phone
of a commanding officer at the base. This revealed the getaway. Italian authorities
believe the cleric was held at Aviano before being flown to Egypt, where he claims to
have been tortured. (Wired News 26/6/07)

19a/ UK Library wants your sent email. In the British Library email messages
are currently being collected. During June the Library in partnership with Microsoft
has been collecting email from Britons and others to capture a sense of life in 21st
century. The project website is www.newhotmail.co.uk/emailbritain.

19b/ A new program I’ve heard about which I’ll share is Comodo BOClean, anti
malware program. At 6 June it was able to deal with 25,820 annoyances and is being
continually updated – these include Trojans, adware, spyware, backdoors, droppers,
rootkits, dialers and more.. See www.comodo.com/boclean.

(Bangkok Post Database section pages 2 and 7)

20/ Dark traffic. All 8 key federal government security departments (also known
as G8) will have comprehensive new controls on dark internet traffic by the end of
June. Dark traffic includes denial of service attacks, bulk email spasm, phishing
attacks seeking to inveigle financial details from the unwary, malformed internet
message packets, invalid addresses and directory harvest attacks. MailGate emails
security adware boxes and software are being installed in key departments to filter,
validate organise, encrypt and manage identity authentication for emails, including
traffic over the internet and dedicated private networks. Work is being undertaken by
Tumbleweed Communications. (AFR 1/6/07 p76 and 77)

21/ French security agencies impose bans on BlackBerrys. French security


agencies have imposed bans on the use of BlackBerrys by staff in the French
Presidents’ and Prime Minister’s Offices. The Australian Government is looking at
related issues. Most messages on BlackBerrys are routed through servers in the US
and Canada. The French are concerned the US National Security Agency may be able
to intercept content. (AFR 26/6/07 p34)

22/ ABC putting most video from major news bulletins on their website as
well as clips from current affairs programs. This is on a new site that took 18
months to plan and 12 months to develop which heavily emphasises video and audio
content. (AFR 26/6/07 p 34)

============================================

Reports since January 1999 are being placed on the NSW page of the Records
Management Association of Australasia Web page at http://www.rmaa.com.au. Any
comments or ideas about these reports should be referred to the editor, Geoff Smith, at
geoffsmith@unwired.com.au or geoff_smith98@hotmail.com. If people want copies
of these reports emailed to them please contact the editor.

27
If readers are interested in records management matters a useful forum for discussion
is the Australian Records Management Listserv. See the RMAA webpage at
http://www.rmaa.com.au.

Readers interested in technology matters then a useful forum for discussion is the
Economic, legal and Social Implications Committee (ELSIC) of the Australian
Computer Society email list. Check the following Web address at
http://www.acs.org.au/index-lists.htm.

Geoff Smith ARMA AIMM GradCertMngt (Public Sector) (Macquarie)


Chair, Industry Technology and Standards Committee, NSW
Records Management Association of Australasia

1 July 2007

28

You might also like